Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Manipulating WSUS to Own Enterprises

Researchers at Black Hat found a weak spot in some WSUS configurations that could allow an attacker to compromise any server or desktop in an enterprise.

LAS VEGAS – Windows Server Update Services (WSUS) is your friend, if you run an enterprise IT shop, because it facilitates the download and distribution of security patches, service pack installations and hardware driver updates among others.

Two researchers this week at the Black Hat conference, however, point out that WSUS can be a significant weakness that can lead to the complete compromise of any server or desktop in an organization hooked up to the automated update service.

Paul Stone and Alex Chapman of Context Information Security in the U.K. took a long look at the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL. While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could with some work tamper with the unencrypted communication and inject a malicious homegrown update.

While turning on SSL during the initial WSUS configuration mitigates the situation, there are organizations that may skip this crucial—and last step—of the WSUS setup. An attacker who manages to get a malicious update into an organization via WSUS, could do anything from remove, downgrade or stop patches from being installed to getting full control over servers and desktops.

“It’s the worst-case scenario and it’s fairly bad,” Stone said. “And it’s not a vulnerability, it’s not something for Microsoft to fix.”

Stone and Chapman said they’ve had a dialogue with Microsoft about their research, which Microsoft acknowledged and said that it recommends enterprise admins turn on SSL. Doing so requires provisioning a SSL cert for machines doing the update, a process that cannot be automated.

“It’s not difficult and it’s something that most admins would know how to do,” Stone said. “Microsoft cannot do it by default. They could prevent it from working until a cert is put in, I suppose.”

Stone and Chapman said they decided to tackle drivers because most are written by third parties for Windows servers and clients, and made for an easier target because, despite the fact that updates are signed and verified by Microsoft, XML metadata can be updated so that it points to, downloads and executes a malicious update.

Windows Update will verify that each update is signed by Microsoft. However, there is no specific ‘Windows Update’ signing certificate–any file that is signed by a Microsoft CA will be accepted. By injecting an update that uses the CommandLineInstallation update handler, an attacker can cause a client to run any Microsoft-signed executable, even one that was not intended to be used in Windows Update. Even better, the executable can be run with arbitrary arguments. Therefore we need to find a suitable executable that will allow arbitrary commands to be executed.

“Essentially, we made a program which man-in-the-middles the WSUS traffic, and then created a fake update and the told machine to download PsExec and run it with whatever arguments to do something malicious,” Chapman said. “That’s the attack. The really fun thing is that all updates are installed as system whether you’re a low privileged user or an admin. So this is quite powerful.”

The only prerequisite for the attack is to already be on the network. From there, even an unauthenticated attacker can run the attack for any machine running WSUS without SSL to run arbitrary commands, Chapman said.

“The hard thing was just finding the signed Microsoft executables we could put down and run to do useful things,” Chapman said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.